You Can Run, But Can You Hide?

Switzerland, 2007 - Sammy Cinco* seats calmly in the luxurious hotel lobby of a city in Switzerland. The clients, the personnel, no one notices him. His clothes, his demeanor nothing shows what he had actually been doing for hours, monitoring the reception and analyzing the behavior of the people coming to the desk. He speaks several languages so understanding what the rich customers say is easy for him, he has done that dozens of times.

His new target is a wealthy CEO from the Far East, he already knows a lot about him. When the man comes to the reception once again, Sammy Cinco learns the last piece of information he missed. the room number. The CEO exits the hotel with his family. Sammy waits a few minutes and heads to the reception, confident and smiling. He only needs a few words, his social engineering skills are on point. The clerk gives him a keycard for the room of the CEO and Sammy heads to the elevators.

After gaining entry to the suite, he waits for some time, readying himself for the second part of his plan. He picks up the phone, dials the reception number and explains he can’t open the room safe. He demands help, politely but firmly and the hotel manager complies. Hotel safes have failsafe systems, the security team can open them even if they don’t have the keycode. Once the safe is open, Sammy thanks the manager, accompanies him to the door and says good bye.
After having emptied the safe, Sammy Cinco uses the cash and the credit cards to buy for about 50 thousand dollars of luxury goods. Then, he vanishes from Switzerland.

There’s a quote from Ernest Hemingway you often hear around people chasing fugitives: "There is no hunting like the hunting of man, and those who have hunted armed men long enough and liked it, never care for anything else thereafter".

While I totally agree with the fact that chasing fugitives is addictive, I usually cringe on the word “hunting”. A hunt often means you are chasing someone who’s just running away from you wildly, stupidly. Some of the fugitives I have been chasing for the last couple of years were dumb and did not really challenge our intelligence.

But Sammy Cinco did.

Until 2016, there was no fugitive unit in my police department. At the time, I had been working for the computer crime unit for more than 8 years. Analyzing smartphones and hard drives, searching the internet in all sorts of cases, from the low-level online scams to the worst rapes and murders, terrorism and so on.
The police detective who would later become the first chief of this new fugitive unit called me one day and asked me if I was interested in trying to find someone online and possibly become one of the founding members of the unit. I had had enough of computer forensics and especially of watching millions of images of abuses on children, chasing fugitives would be a welcome change for me.

My new boss told me they had received a tip from a source: a Facebook profile linked to a high-level thief who had stolen a lot of money in 2007 from a nearby hotel. I had never heard his name before but Google showed me my own ignorance, Sammy Cinco was an international celebrity, he left his country in South America when he was only 14 years old and had been arrested several times for stealing money in different countries, never using any violence. He had inspired documentaries and had 15 different identities. He also had arrest warrants in several countries. A true, complex thief, a fugitive we couldn’t hunt, we’d have to track him. We would have to be smarter than him and to respect his intelligence, a real target for the new fugitive unit.

I immediately sent an official request to Facebook to get the login IP addresses but exactly as I expected, the legal team denied my request: the IP addresses were not in Switzerland and they would not send them to me, I was left with the profile. In 2016, Facebook Graph was still alive and I spent dozens of hours dissecting the photos, the likes, the friends, the comments. I was able to find some pictures suggesting that he was in the US but it seemed like a foolish move for him, he had already been arrested there just a few years before. A few days later, he posted pictures from Bermuda this time, then Spain. The comments were not showing any sign of travel though. And we understood, he was posting old pictures mixed with new pictures in an attempt to use the social media but not give away his location. OPSEC through disinformation.

Then, he made a real mistake. He posted several pictures of him. One of them taken in the lobby of a hotel in Vienna, Austria. Facebook doesn’t retain EXIF data but I had what was shown in the pictures. I found one with two cocktail glasses and a bill in the background. Zooming on the bill like in a bad CSI episode allowed me to see the date (a few days before the post) and the address of the bar. Sammy Cinco was in Vienna!

I told my boss about theses posts and he immediately contacted an international network of police officers working fugitive cases. As long as your target has an international arrest warrant and is an active case, fugitive trackers can activate this network. We did and the response was amazing, they identified the hotel right away and went to the bar, interviewed the waitresses but no one really remembered Sammy. No CCTV was available. We lost him in a sea of 1.9 million people.

But then suddenly another post! From Spain this time. The pictures did not give us any detail and we did not have enough information to ask the teams in Spain to search for Sammy. The only thing I could do was monitor the posts and try to make any sense of the data the Austrian police sent us. We knew Sammy Cinco had several identities but none of his known aliases appeared in the files.

So, we kept to our routine, my boss would contact police departments around the world to coordinate the tracking and I would monitor his online behavior. At that time, I had found several other accounts on Snapchat and Skype. But none of them were useful. I even tried to social engineer a master in social engineering so he would click on one of my malicious links and give away his IP address but it never worked.

Every morning, I would seat to my desk, open my “OSINT machine”, connect it to an Android hotspot running on a prepaid SIM card and run dozens of requests to get friends comments, comments on posts, likes, check-ins. Sammy was very active on Facebook and in the middle of dozens of comments I found what I was looking for, Sammy was explaining to a friend he would be in Paris, “in a few days”.

Quite excited, but a bit disillusioned, I passed the information on to my boss. He was on holiday meaning I was on my own so I contacted the French national fugitive unit and was put in contact with a great investigator Robespierre*. Young enough to understand this “computer stuff” but experienced enough to know what to do with it. And he did well. Together, we identified the friend the fugitive was talking to and the French police set up surveillance around his apartment.

Robespierre requested the same data I had asked from Facebook a few weeks before and he got an IP address, a cheap hotel in the suburb of Paris. They scrambled to the hotel but Sammy Cinco had already left. The clerk confirmed he was not alone in his room and said he was extremely nice and polite, speaking French fluently.

Robespierre notified the airports, train and bus stations but it was too late, the elusive fugitive was gone again. But not without making another mistake, he had left a copy of his forged passport to the reception of the French hotel. We had a new name to run in our databases, but sadly without any luck.

A few days passed, same routine, same nothing.

And then Sammy Cinco made his last mistake, he posted another picture from what appeared to be a hotel room balcony and he said he was in Morocco.

Contacting the Moroccan police proved to be complicated so my boss asked me to go as deep as I could on the picture. Using Google and Yandex reverse image search, scrolling through hundreds of tourist’s albums, I was able to identify the hotel, in Marrakech. A nice hotel, cozy but simple, with a great view of the marketplace.

Again, we contacted the authorities with our new findings and my boss finally got someone willing to act over the phone. They confirmed the name of the hotel and asked us if we wanted him arrested. We talked about it, weighing the pros and cons to have him arrested in Morocco, a country where the detention conditions are supposedly terrible but also a country where someone with a lot of cash could pay a way out. There was an international arrest warrant to his name so the Moroccan police decided that they would arrest him. It took a while but they finally found him, thanks to the name we had found in Paris. Sammy Cinco’s fugitive career was over.

For a while.

He spent 12 months in prison before the administrative nightmare that is Moroccan extradition protocol finally sent him to us. He arrived in Switzerland and probably because of the horrendous conditions he had to face during his time in prison, he was sentenced to time served and set free!

While he was still in Morocco something had changed though, the French police had a new case. Someone had stolen approximately $700,000 from the safe of a luxurious hotel room in Paris. CCTV was showing Sammy Cinco hanging out in the lobby of this hotel and the French prosecutor was really eager to talk to our prisoner. He issued an international arrest warrant. Too late, Sammy had already left Switzerland. We spent hours trying to find if he flew, drove, took a bus or a train but were not able to find anything. In the stuff Sammy had left in his prison cell was the list of aliases we had for him: he had crossed some of them, circled others.

We didn’t know what to expect but one thing was sure: he knew that we knew!

A few months after that, the fugitive unit was officially active. We had more than 4500 cases to work on, around 10 murderers and dozens of bank robbers.

Work for years to come.

One day, my boss and I received an email from a colleague working in another unit of the criminal police. He was forwarding us a picture of a man who had emptied the safe of a hotel in Germany. The cameras in the hotel’s corridors did not catch the face of the thief but we immediately recognized him.

What was his Facebook profile again?

*Fictitious names have been used in lieu of the real ones.